Stuxnet-Like Malware Discovered

There's a new piece of malware called Irongate, which is obviously inspired by Stuxnet. We don't know who is responsible for it.

Slashdot thread.

Posted on June 3, 2016 at 6:33 AM • 22 Comments

Comments

ianfJune 3, 2016 10:35 AM


Early days yet. Let's forget about it until we know something SOLID, otherwise we risk getting bogged down in sterile über-speculations over something that even the tech sources have to parrot off one another (as the 4 articles linked to by Bruce).

David LeppikJune 3, 2016 11:02 AM

From the Fireeye report:

IRONGATE's second notable feature involves sandbox evasion. Some droppers for the IRONGATE malware would not run if VMware or Cuckoo Sandbox environments were employed. The malware uses these techniques to avoid detection and resist analysis, and developing these anti-sandbox techniques indicates that the author wanted the code to resist casual analysis attempts. It also implies that IRONGATE’s purpose was malicious, as opposed to a tool written for other legitimate purposes.

Well, that makes it easy to avoid! From now on, critical systems should run as VMs, to make it harder for attackers to tell if they are in a honeypot.

(Simple solution, tough sell.)

hawkJune 3, 2016 12:14 PM

Well there you go - like Bruce said, "the good stuff isn't patented." So anyone can use this. Go ahead, use it.

Who?June 3, 2016 1:27 PM

@ David Leppik wrt Fireeye report

The malware uses these techniques to avoid detection and resist analysis, and developing these anti-sandbox techniques indicates that the author wanted the code to resist casual analysis attempts. It also implies that IRONGATE’s purpose was malicious, as opposed to a tool written for other legitimate purposes.

I can hardly imagine a legitimate purpose for these cyberweapons. It looks as a part of the U.S. cyberwarfare but who knows, a lot of countries are now joining this trend.

GrauhutJune 3, 2016 2:45 PM

@Who?: "I can hardly imagine a legitimate purpose for these cyberweapons."

A weapon has a payload, a lot of cybaaaware is just "because of because i can" proof of concept hacking stuff.

We dont know yet.

WaelJune 4, 2016 1:11 AM

Some droppers for the IRONGATE malware would not run if VMware or Cuckoo Sandbox environments were employed.

A) Wear the attackers hat:
1- Install VMware or Cuckoo Sandbox for "protection"
2- ...

B) "Cryptographic" method:
1- Make sure DLL is signed and verify DS upon loading it
2- ...

C) Proper way...
1- Identify security principles violation (Least Privilege, ...)
2- Is it architecture or implementation?
3- Check access rights
4- Check default user account privileges (privileged or elevated)
4- Check OPSEC
5- Answer the questions: why is a rogue app able to change a DLL? Why is a rogue app able to list all processes running? How did the rogue app get there in the first place?...

My ideal choice would be C). In the real world, sometimes one is forced to cut corners and go for either A) or B)

A) and B) "may" fix an instance of the Malware. When the malware mutates, things may still look bad. C) Will:
1- Help identify other issues
2- Protect against a class of malware rather than an instance (this example doesn't show this very well)
3- Protect against classes of attacks that utilize the same vulnerability

At least that's the idea, in theory...

de La BoetieJune 4, 2016 7:35 AM

I'd be interested to know from those with ICS industry experience, how prevalent operation inside VMs would be.

Seems to me that any kind of control center/system admin computers would be by default running in a set of VMs with all the benefits they provide - and not to do so is culpable negligence. The most basic opsec/compartmentalisation controls would include that facility, and it's not even as if it is particularly difficult or costly to do - if anything, the ability to pick up VMs as files means the admin and recovery is much simplified.

The problem being, I guess, that culpable negligence is not actually recognised or punished by courts.

Clive RobinsonJune 4, 2016 10:20 AM

@ Wael,

Like you I would think along the lines of option C.

There are various options open to SysAdmins to preventing the DLL getting changed. For instance, a simple cron style job could check the file system in various ways on a regular basis. This does however leave an opportunity window open to attackers which would need consideration. But atleast you would have moved from a state of not knowing to one that has a probability function based on the frequency of the cron style Job.

Any way of interest the upload came from Israel according to one article... Which raise all sorts of interesting thoughts. ;-)

WaelJune 4, 2016 10:51 AM

@Clive Robinson,

Which raise all sorts of interesting thoughts. ;-)

Like what? :)

Clive RobinsonJune 4, 2016 1:45 PM

@ Wael,

Like what?

You disappoint me, I'd have thought you would have put two and two together and come up six ;-)

So... The first question is why did the person upload it in the first place? After all if it's as elusive and undiscovered for so long as portraied how did the uploader obtain it to upload?

If they did not "find it" then did they develop it, or work in a place where it was developed and they in effect whistle blew on it.

If found why was it attacking a machine in Israel, could it be an early escape payback for Israel's involvment in stuxnet etc.

I Could go on but I don't want to spoil it for others who have their own ideas.

WaelJune 4, 2016 4:20 PM

@Clive Robinson,

You disappoint me, I'd have thought you would have put two and two together and come up six ;-)

Well, my ignorance knows no bounds!

If they did not "find it" then did they develop it, or work in a place where it was developed and they in effect whistle blew on it.

Perhaps it was a lab experiment, or maybe it has no purpose. Methinks it is like a Weasel... Just the appearance of "design". A couple of random bit flips here and there lead to this high-order virus :)

If found why was it attacking a machine in Israel...

I didn't infer this from the reports.

rJune 4, 2016 8:06 PM

@wael,

and maybe with the us/iran dethaw and all that maybe israel saw fit to continue along the lines of stuxnet without 'outside' help.

self reliance is a virtue to be sought.

rJune 4, 2016 8:21 PM

[resubmit]

@wael,

perhaps with the whole us/iran thing on defrost israel decided to strike out alone.

self reliance is a virtue to work towards in all instances, middlemen are the bane of your markup.

rJune 4, 2016 8:38 PM

@boetie,

he's an interesting tidbit posed at your question...

I've actually used sandboxie to interface with plotter software... when the plotter demo expires i reset the sandbox.

It's a cheap hack but i can definately see instances where the systems are upgraded but the host remains regressively exploitable inside a vm to maintain compatibility and interoperability.

rJune 4, 2016 8:49 PM

@boetie,

of course, what i mentioned is the inverse of what i propose.

so it's possible to infer either operating structure as legitimate, esp. where say the windows xp substations we keep hearing about being vulnerable are concerned.

upgrade to a vm capable host, duplicate the original host as a vm; persist. It potentially extends the operating window for anyone still decades behind.


@who?

i can give you a legitimate reason,

"disrupt? disarm?? denial???"


is that the correct phrase @Clive?

Don RumsfordJune 5, 2016 12:10 AM

It's a good attempt and will only be improved upon. No matter your position, you have to commend the effort of the developer.

WaelJune 5, 2016 1:01 AM

@r,

perhaps with the whole us/iran thing ...

Politics isn't my thing. Not so good at it. I learned not to believe politicians long ago since early college days. I'd rather read what @Clive Robinson or @Dirk Praet say about political topics.

YouKnoWhoJune 5, 2016 6:36 AM


In an attempt to establish his intellectual depth by proxy, @Wael discloses that, where politics are concerned, he would “rather read what @Clive Robinson or @Dirk Praet say about political topics.

I knot the absence of @YouKnoWho on that heavies list, and will henceforth double the efforts to fill column inches of this blog with long meandering-like hearsay of times past, Blechley trivia, and oh-so-fascinating insights into the making of nom-nom Belgian choco. Also to undermine Wael's uncalled for confidence using proven psychological methods once tested at Harvard on the young Ted Kaczynski.

WaelJune 6, 2016 3:09 PM

@YouKnoWho, @ianf,

Blechley trivia, and oh-so-fascinating insights into the making of nom-nom Belgian choco

What do you have to offer?

AnonJune 7, 2016 11:31 AM

It has been said recently, that who wrote a program can be fingerprinted, even in binary form.

With regards to this latest malware, obviously TPTB want it to be opaque as to who wrote it, so why isn't there some independent attempt to identify who wrote it? Where it was "found" or "uploaded from" could simply be a set-up to hide the true author(s).

As for politics - listen to everyone, but turn the BS-o-meter up a notch.

ianfJune 8, 2016 6:28 AM


@ Wael asks “what do I? have to offer

ATTENTION: legs crossed or it's Depends time. Again.

I dunno, did you ask @OnlYouKnoWho? Otherwise, not to mince words… yours is the wrong conclusion and ditto invocation. Figures.

Try this version of what have you got for impact (I picture Rimmer with a "W" on its forehead as a stand-in for you, while I'm sort of unplanned, then abandoned to fend for myself, one-interstellar-spacetime offspring of Lister's and the Cat's drunken dalliance [offscreen]).

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.